Server Side Request Forgery (SSRF) in bookstackapp/bookstack
Jul 27th 2023
It is possible to access the local environment in the Webhook function.
Therefore, Blind SSRF makes it possible to perform a port scan against the local environment.
Proof of Concept
After logging in, access the webhook setting page, specify the URL with the following pattern, and check that you can access the local environment from the message difference.
POST /settings/webhooks/create HTTP/2 Host: demo.bookstackapp.com ... _token=6AoIWKtSMXumoIqe2YyXsDREcraLVqwaIjf8VEV0&active=true&name=a&endpoint=http &timeout=20&events =all
Response Result (Error Message)
Response status from endpoint was 405
cURL error 7: Failed to connect to localhost port 1234 after 0 ms: Connection refused (see https://curl.haxx.se/libcurl/c/libcurl-errors.html) for http://localhost:1234/
It is possible to perform a port scan against the host's local environment.
Also, sensitive information in the local environment may be obtained.